The content of the article
What is Tally ERP 9
Despite the more than dubious description, Tally ERP 9 is quite a popular product in India with more than two million users. Considering the size of the target audience, Tally is one of the most popular solutions of this kind in India.
It is not surprising that the Indian police turned to Elcomsoft developers with a request to crack the Tally ERP 9 secure storage. In such cases, we try not just to crack a specific database, but add support of the appropriate format to one of our products. It is in this scenario that events began to develop.
How do documents and internal databases usually encrypt? As a rule, companies operate without a twinkle. AES with a key length of 128, 192 or 256 bits is selected as the encryption algorithm. The Media Encryption Key (MEK) data encryption key is created by one of the standard cryptographically robust random number generation algorithms, after which this key is encrypted with the Key Encryption Key (KEK) encryption key. KEK, in turn, is generated based on a combination of user password and salt using one of the standard hash functions (most often it is SHA-1, SHA-256 or SHA-512). The stability of the algorithm is enhanced by an increase in the number of iterations of the hash function; We came across options from 10 thousand iterations (this is a very quick search) to a million (respectively, the search is very slow) inclusive. To simplify it to the limit, in order to add support for the new format, we just need to determine what kind of hashing algorithm the manufacturer used, find the number of iterations and the place where the salt is stored.
In the case of Tally ERP 9, everything went wrong.
Tally Vault Encryption
Tally ERP 9 includes a secure storage implementation called Tally Vault. Encryption in ERP 9 is optional; Password is completely optional. The vault password can be set both when creating a company, and at any time after that.
When a user sets a password, the system creates a new, secure store. The old, unprotected, remains; subsequently, the user can delete it. For us, this scheme is extremely convenient: an encrypted copy of the storage can be directly compared to unencrypted one.
This is what the company’s choice looks like if there is both an encrypted and an unencrypted version of the data.
Data in recent versions of Tally ERP 9 is saved by default in
All files with the extension .900, the size of which exceeds 512 bytes, will be encrypted. The main storage file is
Company.900. User information is saved in this file if the Use security control option is enabled. Here's what this file looks like in a hex editor before encryption.
And so – after.
The file is logically divided into sectors / pages of 512 bytes. Four bytes of a checksum (CRC) are written at the top of each page. When checking the block for integrity, the CRC of the remaining 512 – 4 bytes is calculated and compared with the first four bytes.
The encryption key is obtained directly from the password; there is no salt, let alone separation of Media Encryption Key and Key Encryption Key. Indian developers decided not to rely on existing cryptographic transformations and created their own version, a real cryptographic nightmare.
All hashing algorithms, without exception, ensure that changing only one bit in a hashed sequence will result in a strong change in the hash. Indian developers managed to do the incredible: they created a hash function in which, with a small password change, the result also changes very slightly. Moreover, we got the impression that under certain conditions this hash can be reversed by getting the original password from it (of course, if the entropy of the password does not exceed the entropy of its checksum). Cherry on the cake: the transformation is applied exactly once.
For example, this is how passwords based encryption keys look in which one character is distinguished in pairs:
|pwd1||0x653C68AC 0x4BA84BA8||(ac 68 3c 65 a8 4b a8 4b)|
|pwd2||0x653C69A7 0x4BA84BA8||(a7 69 3c 65 a8 4b a8 4b)|
|password1||0x74258DD3 0x57CE36D7||(d3 8d 25 74 d7 36 ce 57)|
|password2||0x90A78DD3 0xB34C36D7||(d3 8d a7 90 d7 36 4c b3)|
|password12345678||0xC6C57C3D 0xE52EC739||(3d 7c c5 c6 39 c7 2e e5)|
|password12345679||0xC6C51936 0xE52EA232||(36 19 c5 c6 32 a2 2e e5)|
|qwertyui123456789||0xD15D72DD 0x06309E8D||(dd 72 5d d1 8d 9e 30 06)|
|qwertyuj123456789||0xD15D4D77 0x0630A127||(77 4d 5d d1 27 a1 30 06)|
Pages are encrypted by an algorithm, the principle of which is very similar to the usual DES. For encryption, a 64-bit key is used (which, during operation, is expanded into an extended 128-bit key, like the current DES). Block encryption, block size – the usual 64 bits for the DES algorithm. The algorithm is used in CBC mode with initial initialization of IV zeros.
Let me remind you that DES (Data Encryption Standard) is a symmetric encryption algorithm approved by the US government in 1977 as an official standard. In 2001, the use of DES was abandoned; he was replaced by the familiar AES algorithm. What made the Indian developers to take as a basis the principles of operation of this particular algorithm is a mystery to us, but if they bet on “no one will guess”, then they were mistaken.
Continuation is available only to participants
Materials from the latest issues become available separately only two months after publication. To continue reading, you must become a member of the Xakep.ru community.
Join the Xakep.ru Community!
Membership in the community during the specified period will open you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score!
I am already a member of Xakep.ru